Re: [OAUTH-WG] State Leakage Attack

"torsten@lodderstedt.net" <torsten@lodderstedt.net> Fri, 22 April 2016 17:07 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9203B12D934 for <oauth@ietfa.amsl.com>; Fri, 22 Apr 2016 10:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYogqM4Dxh4f for <oauth@ietfa.amsl.com>; Fri, 22 Apr 2016 10:07:56 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6603812D751 for <oauth@ietf.org>; Fri, 22 Apr 2016 10:07:54 -0700 (PDT)
Received: from [87.140.195.4] (helo=[172.17.2.4]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1ateYa-0007XD-H4; Fri, 22 Apr 2016 19:07:52 +0200
Date: Fri, 22 Apr 2016 19:07:48 +0200
Message-ID: <4ea52uuwo0qag9ijskcke5mh.1461344868116@com.syntomo.email>
In-Reply-To: <571A3860.90609@uni-trier.de>
References: <571A3339.706@uni-trier.de> <8E6CA392-96B3-4DBE-8167-9FDD972A31A8@adobe.com> <571A36AE.5020105@uni-trier.de> <DEC7CA6F-5C6B-406F-97B8-0675D1A7D24F@adobe.com> <571A3860.90609@uni-trier.de>
From: "torsten@lodderstedt.net" <torsten@lodderstedt.net>
To: fett@uni-trier.de, asanso@adobe.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.syntomo.email_6395466660820414"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MEZuOkS600c85UK8KqwdIkFJYEM>
Cc: gschmitz@informatik.uni-trier.de, oauth@ietf.org, kuesters@uni-trier.de
Subject: Re: [OAUTH-WG] State Leakage Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 17:07:57 -0000

Hi Daniel,

how is the attackers supposed to utilise the leaked state value? I would assume the legit client binds it to a certain user agent, e.g. via the session context, which is not available to the attacker.

best regards,
Torsten.

-------- Originalnachricht --------
Betreff: Re: [OAUTH-WG] State Leakage Attack
Von: Daniel Fett <fett@uni-trier.de>
An: Antonio Sanso <asanso@adobe.com>
Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>,oauth@ietf.org,Ralf Kuesters <kuesters@uni-trier.de>

>Am 22.04.2016 um 16:39 schrieb Antonio Sanso:
>> hi Daniel
>> 
>> On Apr 22, 2016, at 4:35 PM, Daniel Fett <fett@uni-trier.de
>> <mailto:fett@uni-trier.de>> wrote:
>> 
>>> Hi Antonio,
>>>
>>> Am 22.04.2016 um 16:30 schrieb Antonio Sanso:
>>>>> Hi all,
>>>>>
>>>>> During our formal analysis of OAuth we found an attack that allows
>>>>> CSRF. It is similar to the "code" leak described by Homakov in [1] and
>>>>> therefore not really surprising. In this attack, the intention for an
>>>>> attacker is to steal the "state" value instead of the "code" value.
>>>>>
>>>>> Setting:
>>>>>
>>>>> In the auth code grant, after authentication to the AS, the user is
>>>>> redirected to some page on the Client. If this page leaks the
>>>>> referrer, i.e., there is a link to the attacker's website or some
>>>>> resource is loaded from the attacker, then the attacker can see not
>>>>> only code but also state in the Referer header of the request.
>>>>>
>>>>> The fact that code can leak was described in [1]. Since code is
>>>>> single-use, it might be already redeemed in most cases when it is sent
>>>>> to the attacker.
>>>>
>>>> probably is not redeemed instead, just because the redirect_uri is
>>>> not the correct one.
>>>> The mitigation that good implemented AS use (also Github) is to
>>>> follow section 4.1.3 the OAuth core specification [RFC6749], in
>>>> particular:
>>>>
>>>> "ensure that the "redirect_uri" parameter is present if the
>>>> "redirect_uri" parameter was included in the initial authorization
>>>> request as described in Section 4.1.1, and if included ensure that
>>>> their values are identical."
>>>
>>> The attack is not based on a manipulation of the redirect_uri. Instead,
>>> a correct redirect_uri is used, but the page loaded from the
>>> redirect_uri contains links or external resources (intentionally or not).
>> 
>> right. so is not really [1] :) since there there is manipulation using
>> /../../ 
>
>Of course.
>
>> Now the real question why a legit redirect_uri should contain links to
>> malicious external resources?
>
>Well, why not? :)
>
>Anyway, developers should be made aware that having external
>resources/links on these pages is a bad idea.
>
>- Daniel
>
>-- 
>Informationssicherheit und Kryptografie
>Universität Trier - Tel. 0651 201 2847 - H436
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>